General
-
Target
3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b
-
Size
2.9MB
-
Sample
241030-19xgzascrf
-
MD5
5f872bf66a9e456c70f7ee4fa6b53e4c
-
SHA1
b1671863784faf70581dbfe7567341dc5bf8f304
-
SHA256
3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b
-
SHA512
3306d0938d1226d893b0e6db11b3a16ce183e71604c559b0c2dd42b60d062fac66cea810b32abcc8fd5b0ac2b85f832433baa732fa728b928da862aa5f16edc9
-
SSDEEP
24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHm:7v97AXmw4gxeOw46fUbNecCCFbNecF
Malware Config
Targets
-
-
Target
3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b
-
Size
2.9MB
-
MD5
5f872bf66a9e456c70f7ee4fa6b53e4c
-
SHA1
b1671863784faf70581dbfe7567341dc5bf8f304
-
SHA256
3ee783c204048897f91ce19e6ec58f85a6f2fd1f10bb1f06c3fcc1b6ae6f9b5b
-
SHA512
3306d0938d1226d893b0e6db11b3a16ce183e71604c559b0c2dd42b60d062fac66cea810b32abcc8fd5b0ac2b85f832433baa732fa728b928da862aa5f16edc9
-
SSDEEP
24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHm:7v97AXmw4gxeOw46fUbNecCCFbNecF
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4